malwarewikiaorg-20200223-history
Melissa
Melissa is a very dangerous macro virus that appeared in spring of 1999. The virus received a great deal of media attention and like Michelangelo caused little damage, although it was very widespread. Melissa began spreading exactly one month before CIH released its payload, causing hundreds of millions of dollars in damage in East Asia. It is one of the first viruses to achieve "rock star" status. Behavior Melissa arrives in an email, with the subject line "Important Message From ". The "sender" will be the actual email address that it came from. The body of the message is "Here is that document you asked for ... don't show anyone else ;-)". The attachment is named list.doc and contains a list of 80 pornographic websites with usernames and passwords. When an infected document is opened, Melissa checks if the Microsoft Office registry key has a subdirectory named "Melissa?" exists with "... by Kwyjibo" set as its value. If the value has been set, the virus will not perform the mailing routine. If the value is not set, the virus mails itself to fifty addresses in the user's Address Book. Melissa infects the Normal.dot template, which is used by default in all Word documents. This gives the virus the ability to infect and send other documents than just the porn site list, potentially leaking sensitive information. Users can also unknowingly spread the virus when other documents become infected and they send them to another computer. If any document is opened or a new document is created, that document will be infected. Melissa also has another payload that triggers itself once an hour and chooses the minute of the payload's delivery by the day (as an example, if the day is April 19, the payload will be delivered on the 19th minute of every hour that day). If an infected document is opened or closed at that minute, Melissa will insert this text into the document Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here. This is a reference to the Simpson's episode, "Bart the Genius". Variants Melissa.W (Prilissa) The virus arrives as an email attachment. The email text says "This document is very important and you've GOT to read this!!!" When Prilissa activates, it displays the message: "Vine...Vide...Vice...Moslem Power Never End...Your Computer Have Just Been Terminated By -= CyberNET =- Virus!!" -". The user's documents will be covered in randomly colored squares. It then overwrites the AUTOEXEC.BAT file to format the hard drive. This message actually come from the virus Cybernet, a Macro virus. This variant may take some code from an earlier macro virus called Pri and be a hybrid of Melissa and this macro. Effects While the virus had no deliberately malicious payload, it did place a burden on email servers, making it a Denial of Service attack. Also the "damages" were mostly lost productivity due to companies closing down their servers. Many people in the IT industry said that the situation could have been much worse, as all the virus really did was email itself. Kwyjibo said in court that he did not code the virus to deliberately cause any harm, believing any damage would be incidental and/or minimal. He claimed the virus was even designed to not cause damage to computers. The virus is reported to have caused $80 million of damage in North America alone and about $1.1 billion worldwide. Some estimates say at least 100,000 computers were infected and 300 organizations reported infections. Game publisher GT Interactive accidentally sent out the virus in a press release. The company said Melissa did not do them any damage but did cause a great deal of embarrassment. CERT claims that Melissa was reported in countries as far away as Canada, the Netherlands, New Zealand, Qatar, Singapore, Sweden, and the United Kingdom. In addition, CERT claims that 233 organizations and 81,285 computers had Melissa infections and that one site reported receiving 32,000 copies of mail messages containing Melissa on its systems within 45 minutes. In a situation similar to that of the Michelangelo hysteria, people began buying anti-virus software and scanning their computers, only to find much older viruses that did not receive as much media hype. Origin Melissa was coded and released by Kwyjibo (David L. Smith) in Aberdeen, New Jersey, USA and posted to the newsgroup alt.sex using a cracked America Online account. It was named after a stripper Kwyjibo knew in Florida. The virus was for a short time believed to have originated in Europe. Kwyjibo pleaded guilty on 1999.12.09 and was sentenced to 20 months in federal prison, three years of supervised release, a $5,000 fine and 100 hours of community service in 2002. The maximum sentence at the time was five years in prison and a $250,000 fine, but the judge took into consideration the fact that Kwyjibo cooperated with federal and state authorities. He also faced 10 years in prison and a $150,000 fine on one count of second-degree computer-related theft. His total prison time could have added up to nearly 40 years. In exchange for reducing his sentence to 20 months, Kwyjibo began working with the FBI to help the Bureau find virus and worm creators. He started working for them 18 hours a week, then later a full 40 hours, at which point the FBI began paying his rent, insurance and utilities, which totalled nearly $12,000. While working for the FBI, Kwyjibo was instrumental in the finding and capture of Jan de Wit, creator of OnTheFly, and Simon Vallor, creator of Gokar. Other Facts The text of one of Melissa's payloads, as well as Kwyjibo's handle, come from this scene the "Simpsons" episode, "Bart the Genius": Bart (playing scrabble with the rest of the family): K-W-Y-J-I-B-O... Kwyjibo. 22 points... plus 50 points for using all my letters! Game's over. I'm outta here! Homer: Wait a minute, you little cheater! You're not going anywhere until you tell me what a Kwyjibo is. Bart (looking at Homer): Kwyjibo? Uh... a big, dumb, balding, North American ape with no chin. Marge: And a short temper! Homer (lunging for the boy): I'll show you a big dumb balding ape!! Bart: Uh oh. Kwyjibo on the loose! Media Sources http://m.youtube.com/watch?v=iBGIUd9niXc The Melissa Virus Website CERT. Advisory, "CA-1999-04 Melissa Macro Virus" 1999.03.27-31 Raul K. Elnitiarta. Symantec.com, W97M.Melissa.A Richard Pethia (Testimony Before the Subcommittee on Technology, Committee on Science, U.S. House of Representatives). CERT, The Melissa Virus: Inoculating Our Information Technology from Emerging Threats 1999.04.15 Stephen Shankland. CNET News, "Feds Issue Warning as Email Virus Spreads". 1999.03.29 -. -, "Melissa Virus Originator Bewildered" 1999.03.30 Robert Lemos. ZDNet News, "What Will Happen in Melissa's Wake?". 1999.04.04 Craig Fosnock. East Carolina University, Computer Worms: Past, Present, and Future Nerds 2.0.1, "A Virus Named Melissa". 1999.03.29 US Department of Justice Press Release, "Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison". 2002.05.01 Raymond G. Kammer. US Department of Commerce, Before the House Science Subcommittee on Technology. 1999.04.15 Martha Mendoza. Associated Press, Hacker goes undercover for the FBI. 2003.09.23 John Borland. CNET News, "Christmas Virus Could Format Hard Drives". 1999.11.19 Matthew W. Beale. E-Commerce Times "One Year Ago: Christmas Day Virus Warning Issued" 1999.11.22, 2000.11.20 EmailAbuse.org, "Prilissa". it:Melissa Category:Macro Category:Billion dollar damage Category:Virus Category:Win32 Category:Win32 virus Category:Microsoft Windows